Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ATT Uverse RG Bypass (0.2 BTC)

    Scheduled Pinned Locked Moved Bounties
    555 Posts 80 Posters 1.2m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ican'treadorwrite @Dade
      last edited by

      @Dade I realize you posted this a long time ago, so sorry for bringing this up again. I also have ATT with 5 extra static IPs (/29). I made another lan interface and assigned the "Gateway IP" from ATT to this interface. I don't have any problem using 1:1 NAT to assign public IPs to specific devices on my LAN.

      I am also using the static "Gateway IP" from ATT as the IP address for a VPN server--which works except for one thing. My ATT static Gateway IP is 75.xxx.xxx.78. My dynamic ATT IP is 68.xxx.xxx.29. I can connect to the VPN using the address 75.xxx.xxx.78, but while connected to this VPN, if I google "what is my IP address" the response is 68.xxx.xxx.29, when it should be 75.xxx.xxx.78.

      Using your method, were you able to resolve this? Either way, could you describe the firewall/NAT rules that you used?

      Thanks!

      F 1 Reply Last reply Reply Quote 0
      • F
        foxide @Ican'treadorwrite
        last edited by

        @Ican-treadorwrite The IP you're going to see on a "what's my IP" query is going to be the NAT IP that applies to that traffic. You'll have to create a new NAT rule ONLY for the internal IP addresses of your VPN clients specifying that that specific IP (your static IP) is the "NAT address" for that traffic.

        1 Reply Last reply Reply Quote 0
        • S
          shad0wca7 @bkatt
          last edited by

          @bkatt said in ATT Uverse RG Bypass (0.2 BTC):

          Hello All.
          I am able to get this script working via bridge mode, but having issues getting it to work via supplicant mode. It is running on bare metal.

          The script seems to hang at "Waiting EAP for authorization"

          I have root and wheel group full permission to the 3 certs. I got them from ebay and converted them into the correct format using some tools suggested online. Is there anything easy I could be missing? Been through the guide multiple times but cannot seem to figure it out thus far.

          I have checked the configuration inside pfatt.sh multiple times and appears to be correct.

          I am having this exact same situation. Permissions, names, etc all look fine - it just hangs at 'waiting EAP for authorisation'....

          A 1 Reply Last reply Reply Quote 0
          • A
            AiC0315 @shad0wca7
            last edited by

            @shad0wca7
            What are your file names and file type?
            I have my permissions set to 755

            S B 2 Replies Last reply Reply Quote 0
            • B
              bk150
              last edited by

              I really hope the underlying issue people are having isn't related to this: https://www.dslreports.com/forum/r32839785-AT-T-Fiber-Gateway-bypass-with-WPA-supplicant-stopped-working-2-days-ago

              A 1 Reply Last reply Reply Quote 0
              • A
                AiC0315 @bk150
                last edited by

                @bk150
                I'm running 2.4.5 and rebooted just the other day with no problems.

                1 Reply Last reply Reply Quote 0
                • S
                  shad0wca7 @AiC0315
                  last edited by

                  @AiC0315

                  -rw-------  1 root  wheel  6431 Aug 22 16:46 ca.pem
                  -rw-------  1 root  wheel  1131 Aug 22 16:46 client.pem
                  -rw-------  1 root  wheel   887 Aug 22 16:46 private.pem
                  
                  1 Reply Last reply Reply Quote 0
                  • B
                    bkatt @AiC0315
                    last edited by bkatt

                    @AiC0315 I set my permissions to 775 and tested. It was previously set to 774. Unfortunately same message, "Waiting EAP for Autorization". Three files, ca.pem, client.pem, and private.pem. running 2.4.5 r1 also.

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      AiC0315 @bkatt
                      last edited by

                      @bkatt
                      Well unfortunately mine is now broken!
                      I imagine it has something to do with the link @bk150 posted earlier.

                      1 Reply Last reply Reply Quote 0
                      • Darth AndroidD
                        Darth Android
                        last edited by

                        I recently set up new service with AT&T and was not able to get wpa_supplicant/dhcp working without making a few tweaks to the pfatt.sh script:

                        1. wpa_supplicant had to run on the bare port, not ngeth0
                          -WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -ingeth0 -B -C /var/run/wpa_supplicant"
                          +WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"
                          
                        2. Both the bare port and ngeth0 had to have a MAC that matched the certificates I was using (not my assigned router gateway, as I had purchased certificates online instead of messing with the firmware of my assigned gateway):
                          -/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
                          +/usr/sbin/ngctl msg ngeth0: set $EAP_SUPPLICANT_IDENTITY
                          
                           /usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..."
                          +/sbin/ifconfig $ONT_IF ether $EAP_SUPPLICANT_IDENTITY
                           /sbin/ifconfig $ONT_IF up
                           /sbin/ifconfig $ONT_IF promisc
                          

                        This got me line speeds with minimal CPU usage on a bare metal installation of pfsense (CPU is a Xeon D-1518 @ 2.2Ghz, for reference, which is overkill for this but not the 10Gbps ports)

                        That said, I still do not have IPV6 working fully, and am at a loss there-- I can get a WAN IP via DHCPv6, and I can get prefix delegations for all of my LANs, but IPv6 packets just get dropped several hops outside of my network without the slightest hint as to why.

                        S 1 Reply Last reply Reply Quote 0
                        • P
                          pyrodex
                          last edited by

                          @Darth-Android said in ATT Uverse RG Bypass (0.2 BTC):

                          That said, I still do not have IPV6 working fully, and am at a loss there-- I can get a WAN IP via DHCPv6, and I can get prefix delegations for all of my LANs, but IPv6 packets just get dropped several hops outside of my network without the slightest hint as to why.

                          Did you set your IPv6 to DHCPv6 on your WAN and then in the IPv6 settings set a prefix? I have my prefix set to /60 and the following settings:

                          Use IPv4 Connectivity as Parent Interface - Checked
                          Request only an IPv6 Prefix - Checked
                          Send IPv6 Prefix Hint - Checked

                          Once this is done save and then go to each non-WAN interface and set IPv6 to TRACK and then set the track interface to WAN and start with 0 incrementing by one for each interface.

                          Darth AndroidD 1 Reply Last reply Reply Quote 0
                          • Darth AndroidD
                            Darth Android @pyrodex
                            last edited by Darth Android

                            @pyrodex Hmmmm, those checkboxes are different from what's recommended in the pfatt repo, but even with your settings I can't get more than 2 hops into AT&T's network before the packets disappear. (traceroute6 google.com always shows pfsense + 2 more hops, and then nothing; pfsense is connected directly to the ONT in my setup)

                            Darth AndroidD 1 Reply Last reply Reply Quote 0
                            • Darth AndroidD
                              Darth Android @Darth Android
                              last edited by

                              @Darth-Android said in ATT Uverse RG Bypass (0.2 BTC):

                              always shows pfsense + 2 more hops, and then nothing

                              I actually seem to get a 3rd hop beyond pfsense when I uncheck Request only an IPv6 Prefix, but still no actual connectivity to external addresses.

                              1 Reply Last reply Reply Quote 0
                              • S
                                shad0wca7 @Darth Android
                                last edited by

                                @Darth-Android Interesting I may give this a try later. Though it’s working now in bridge mode and that makes me hesitant to touch it more... especially with potential changes they’re making..

                                Is the supplicant mode meant to be faster than bridge?

                                Darth AndroidD 1 Reply Last reply Reply Quote 0
                                • Darth AndroidD
                                  Darth Android @shad0wca7
                                  last edited by

                                  @shad0wca7 It should not be any faster per se, but it reduces complexity (read: failure points) and allows you to not have to find space / power for the RG.

                                  The questions about speed are around the use of netgraph (ngctl) to strip the VLAN0 headers in pfsense instead of putting a dumb switch between the ONT and pfsense; netgraph is extremely flexible, but comes at a cost of CPU performance and if your CPU doesn't have enough horsepower, that could be an issue. However: Both the bridge and supplicant methods with pfatt use netgraph, so if you have the bridge method working satisfactorily, supplicant should be about the same in terms of speed/CPU usage.

                                  1 Reply Last reply Reply Quote 1
                                  • F
                                    fresnoboy
                                    last edited by

                                    Actually if you are running pfsense as a guest under vmware, you don't need netgraph at all for the wpa_supplicant version. And this also meant for me that I didn't need to do PCI passthrough of interfaces which made VM migration to another machine much easier.

                                    I haven't been able to figure out how to make vmotion migration work, though I did buy a dumb switch that will let me play with it when I get time and the kids aren't using the network for school.

                                    V 1 Reply Last reply Reply Quote 0
                                    • Darth AndroidD
                                      Darth Android
                                      last edited by

                                      Ah, yeah I keep forgetting the difference between virtualized and bare-metal. If you have something that (dumb switch, virtualization) strips the VLAN0 tags, straight supplicant without any netgraph will be faster / less CPU intensive.

                                      S 1 Reply Last reply Reply Quote 0
                                      • S
                                        shad0wca7 @Darth Android
                                        last edited by

                                        @Darth-Android cool. I’m running bare metal on an HP T620 plus (4 core AMD Jaguar) which is ample.. I’ll leave bridge mode working for now but watch this with interest.

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          bquedens
                                          last edited by

                                          Hi Folks having some trouble wpa_supplicant seems to be hanging at starting wpa_supplicant doesn’t advance past that I put another usr/bin/logger -st before wpa_daemon_cmd and it stops right there before that command is run any ideas

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pyrodex
                                            last edited by

                                            I am running OPNsense (Don't hate me..) with the same code base and using supplicant mode with netgraph on bare metal without issues.

                                            I get full line speed and can make my line testing with Torrents and multiple users.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.